Is It Safer? The Complexities of UC and Security

Linking infrastructure elements and applications in a UC mesh clearly changes the security picture. What isn't clear is whether it is for better or worse. On one hand, a unified infrastructure can reduce the steps necessary to achieve a universal result, such as denying access to a terminated employee. On the other hand, it can enable a single vulnerability to affect the entire infrastructure.

Is securing unified communications infrastructure and applications fundamentally different from securing the various elements when they are not linked in a UC web? Does securing UC ultimately simply come down to using the security best practices for each of the pieces of the system? The answer to both questions is a resounding yes.

That seems to be a contradiction: How can securing UC be the same and different from securing a group of separate applications and network elements?

UC is nothing more than cleverly knit together applications and infrastructure. Thus, a big piece of the security picture is using best practices for each of those elements. At the same time, integrating these systems introduces its own potential risks and efficiencies that are absent if each operates in a vacuum.

This dichotomy – the difference between protecting a group of independent elements versus protecting a single holistic system – is something that IT departments must think hard about as UC platforms become more sophisticated and take over an increasing percentage of the organization's communications.

"In a UC platform, you are more likely to find a single vendor to deal with all modalities across the UC mesh.”

Nick Sears

VP, FaceTime

The common wisdom is that good security on each of the applications spells good security for the entire UC platform. To a great extent, this is true. And, to a great extent, the security discussion is the same whether applications are linked by UC or not. "Whether [apps] are separate or in a UC platform, the same security considerations exist,” says Nick Sears, the Vice President of Europe, the Middle East and Asia for FaceTime.

While it is true that good security on each application is a huge step toward good overall security, the use of UC dictates some changes.

From the corporate and operational point of view, a holistic UC approach increases the chances that security equipment purchases are focused on a single vendor or vendors that work together. "In a UC platform, you are more likely to find a single vendor to deal with all modalities across the UC mesh,” says Sears. "There are solutions that enable you to deal with a single policy management framework.”

A second difference is that the unification of communications means that policies, as well as their execution and enforcement, are centralized. If executed well, this will greatly benefit the organization. For instance, most IT policies mandate that a departing employee's access to communications tools – his or her communications modalities, in UC parlance -- be revoked in a timely fashion. This process can be done far more effectively in an environment in which all or most of that employee's applications are linked. Of course, it also is possible that he or she will have access to more things for a longer period of time if that element of the UC platform is poorly managed.

"In a unified security scheme, when someone pulls the plug on an authenticated user, the system will shut all the openings that may be exposed,” says Dieter Rencken, a senior product manager for ShoreTel. "If it's a piecemeal system, that might be harder to do. You may have to interact with different authenticated databases. You may even overlook some.”

Risky Business

Such unification brings challenges. Adam Boone, the vice president of marketing for security vendor Sipera Systems, said that his company essentially sees UC and real-time communications – VoIP, streaming and other synchronous applications in which exchanges happen in real time – as synonymous. Boone acknowledges the possible risks of a broader vulnerability or infection entering through one application and spreading to others.

"We had a vulnerability about a year ago which was a VoIP-to-data exploit,” he says. "If the company was running VoIP and had laptops with VoIP clients, in some cases attackers could attack the client and gain control of the laptop. That was an example of using one vector and jumping out to take control of a different system. [If successful], they would then own the entire network or PC and gain access to any network resource, including those on the data side.”

Boone added that presence data itself must be protected. Information conveyed in presence functions – that the CEO is traveling, for instance – is valuable to phishers, who have been known to do a lot of damage with even less information.

The world is made of various shades of gray. Two distinct scenarios – one in which all communications services are unified and another in which they all are discrete – are not common. Far more often, Sears says, there are variations on the two themes.

Two Scenarios Mix, Complexity Ensues

The mix of the two scenarios is complicated by several other factors. Employees often use tools and applications that, in Sears' terms, are "self-adopted.” This was common several years ago in the wireless LAN segment, when workers would simply plug in a consumer-grade access point to create an ad hoc work group. It also is evident today in mobility, as more people use their powerful smartphones and other devices for work – many without thinking twice about it. The IT department generally is not even aware of these rogue devices and platforms and, consequently, can't secure them.

The second complication is that the seemingly exponential rise of mobility makes it almost inevitable that unsecured networks – such as the open Internet – are part of the security mix.

Finally, the desire to use Web 2.0 tools to reach to partners, suppliers, the public and other outsiders complicates the policies under which the organization works. A UC policy for internal use likely will be different from security steps taken to protect public-facing Web 2.0 collaboration tools, which in some cases come under the UC umbrella.

None of these issues are specific to unified communications. They simply change when they occur in a unified communications infrastructure.

That change can be for the better if the creation of an efficient multi-application security infrastructure is created. There is danger, however, if steps are not taken to limit the chances that an entry point into the unified communications infrastructure allows a worm, virus, phishing exploit or other kind of attack to affect the organization's entire communications infrastructure.